How much security do you get in switching the SSH port (can't they just scan you anyway as you mention) and is it worth that minor usability hit for legitimate users?
–
Nick TAug 2 '13 at 0:48

1

@NickT it turns out to be enough to significantly reduce login attempts. Where I'd get thousands of attempts in a week/day, so far I haven't had any for the last month, simply by switching the port.
–
AntoineGMar 10 '14 at 14:30

I would argue that monitoring logs is a weak solution especially if you have a weak password on an account. Brute attempts often try at least hundreds of keys per minute. Even if you have a cron job set to email you of brute attempts, it could be hours before you get to your server.

If you have a public-facing SSH server, you need a solution that kicks in long before you can be hacked.

I would strongly recommend fail2ban. Their wiki says what it does better than I can.

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email, or ejecting CD-ROM tray) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, curier, ssh, etc).

Getting protection from it is as simple as sudo apt-get install fail2ban.

By default as soon as somebody has three failed attempts, their IP gets a five minute ban. That sort of delay essentially halts a SSH brute force attempt but it's not going to ruin your day if you forget your password (but you should be using keys anyway!)